The Hacker News — Cyber Security, Hacking, Technology News

Guess how many devices participated in last Friday's massive DDoS attack against DNS provider Dyn that caused vast internet outage?

Just 100,000 devices.

I did not miss any zeros.

Dyn disclosed on Wednesday that a botnet of an estimated 100,000 internet-connected devices was hijacked to flood its systems with unwanted requests and close down the Internet for millions of users.

Dyn executive vice president Scott Hilton has issued a statement, saying all compromised devices have been infected with a notorious Mirai malware that has the ability to take over cameras, DVRs, and routers.

"We're still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints," Hilton said. "We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets."

Mirai malware scans for Internet of Things (IoT) devices that are still using their default passwords and then enslaves those devices into a botnet, which is then used to launch DDoS attacks.

A day after the attack, Dyn confirmed that a botnet of Mirai malware-infected devices had participated in its Friday's Distributed Denial of Service attacks.

However, after an initial analysis of the junk traffic, just yesterday, the company revealed that it had identified an estimated 100,000 sources of malicious DDoS traffic, all originating from IoT devices compromised by the Mirai malware.

Earlier the company believed that approximately "tens of millions" of IP addresses were responsible for the massive attack against its crucial systems, but the actual number came out to be much much less, leaving all of us wondering, as:

How did the Attack Succeed to this Massive Level?

To this, Hilton said that Domain Name System protocol itself has the ability to amplify requests from legitimate sources.

"For example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses," Hilton said. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume."

"It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be."

Friday's cyber attack overwhelmed Dyn's central role in routing and managing Internet traffic, rendering hundreds of sites and services, including Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and AirBnb, inaccessible to Millions of people worldwide for several hours.

Dyn did not disclose the actual size of the attack, but it has been speculated that the DDoS attack could be much bigger than the one that hit French Internet service and hosting provider OVH that peaked at 1.1 Tbps, which is the largest DDoS attack known to date.

According to the company, this attack has opened up an important debate about Internet security and volatility.

"Not only has it highlighted vulnerabilities in the security of 'Internet of Things' (IOT) devices that need to be addressed, but it has also sparked further dialogue in the Internet infrastructure community about the future of the Internet," Hilton said.

Next DDoS Attack could reach Tens Of Terabits-Per-Second

If the IoT security is not taken seriously, the future DDoS attack could reach tens of terabits-per-second, as estimated by network security firm Corero.

The DDoS threat landscape is skyrocketing and could reach tens of terabits-per-second in size, following a discovery of a new zero-day attack vector that has the ability to amplify DDoS attacks by as much as 55x, Corero warned in a blog post published Tuesday.

According to the security firm, this new attack vector uses the Lightweight Directory Access Protocol (LDAP), which if combined with an IoT botnet, could break records in DDoS power.

Dave Larson of Corero explains:

"LDAP is not the first, and will not be the last, protocol or service to be exploited in this fashion. Novel amplification attacks like this occur because there are so many open services on the Internet that will respond to spoofed record queries. However, a lot of these attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before these requests are admitted to the network."

You can read more on Corero's official website.

How to Protect your Smart Device from being Hacked

1. Change Default Passwords of your connected devices: If you have got any internet-connected device at home or work, change your credentials if it still uses default ones. Keep in mind; Mirai malware scans for default settings.

2. Disable Universal Plug-and-Play (UPnP): UPnP comes enabled by default in every IoT device, which creates a hole in your router's security, allowing malware to infiltrate any part of your local network.

Check for "Universal Plug and Play" features and turn them OFF.

3. Disable Remote Management through Telnet: Go into your router’s settings and disable remote management protocol, specifically through Telnet, as this is a protocol used for allowing one computer to control another from a remote location. It has also been used in previous Mirai attacks.

4. Check for Software Updates and Patches: last but not the least, always keep your connected devices and routers up-to-date with the latest vendor firmware.

Check if your IoT device is vulnerable to Mirai malware

There is an online tool called Bullguard's IoT Scanner that can help you check if any IoT device over your network is vulnerable to Mirai malware.

If it detects any, contact the device's manufacturer or lookout for a solution to patch those vulnerable gaps.

The tool makes use of the vulnerability scanning service Shodan for finding unprotected computers and webcams on your home network that are exposed to the public and potentially accessible to hackers.

You might be surprised to know that your security cameras, Internet-connected toasters and refrigerators may have inadvertently participated in the massive cyber attack that broke a large portion of the Internet on Friday.

That's due to massive Distributed Denial of Service (DDoS) attacks against Dyn, a major domain name system (DNS) provider that many sites and services use as their upstream DNS provider for turning IP addresses into human-readable websites.

The result we all know:

Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and AirBnb, were among hundreds of sites and services that were rendered inaccessible to Millions of people worldwide for several hours.

Why and How the Deadliest DDoS Attack Happened

It was reported that the Mirai bots were used in the massive DDoS attacks against DynDNS, but they "were separate and distinct" bots from those used to execute record-breaking DDoS attack against French Internet service and hosting provider OVH.

Here's why: Initially the source code of the Mirai malware was limited to a few number of hackers who were aware of the underground hacking forum where it was released.

But later, the link to the Mirai source code suddenly received a huge promotion from thousands of media websites after it got exclusively publicized by journalist Brian Krebs on his personal blog.

Due to the worldwide news release and promotion, copycat hackers and unprofessional hackers are now creating their own botnet networks by hacking millions of smart devices to launch DDoS attacks, as well as to make money by selling their botnets as DDoS-for-hire service.

Mirai malware is designed to scan for Internet of Things (IoT) devices – mostly routers, security cameras, DVRs or WebIP cameras, Linux servers, and devices running Busybox – that are still using their default passwords. It enslaves vast numbers of these devices into a botnet, which is then used to launch DDoS attacks.

Chinese Firm Admits Its Hacked DVRs and Cameras Were Behind Largest DDoS Attack

More such attacks are expected to happen and will not stop until IoT manufacturers take the security of these Internet-connected devices seriously.

One such IoT electronic manufacturer is Chinese firm Hangzhou Xiongmai Technology which admitted its products – DVRs and internet-connected cameras – inadvertently played a role in the Friday's massive cyber attack against DynDNS.

The Mirai malware can easily be removed from infected devices by rebooting them, but the devices will end up infecting again in a matter of minutes if their owners and manufacturers do not take proper measures to protect them.

What's worse? Some of these devices, which include connected devices from Xiongmai, can not be protected because of hardcoded passwords, and the fact that their makers implemented them in a way that they cannot easily be updated.

"Mirai is a huge disaster for the Internet of Things," the company confirmed to IDG News. "[We] have to admit that our products also suffered from hacker's break-in and illegal use."

The company claimed to have rolled out patches for security vulnerabilities, involving weak default passwords, which allowed the Mirai malware to infect its products and use them to launch massive DDoS attack against DynDNS.

However, Xiongmai products that are running older versions of the firmware are still vulnerable. To tackle this issue, the company has advised its customers to update their product's firmware and change their default credentials.

The electronics components firm would also recall some of its earlier products, specifically webcam models, sold in the US and send customers a patch for products made before April last year, Xiongmai said in a statement on its official microblog.

Hackers are selling IoT-based Botnet capable of 1 Tbps DDoS Attack

Even worse is expected:

The Friday's DDoS attack that knocked down half of the Internet in the U.S. is just the beginning because hackers have started selling access to a huge army of hacked IoT devices designed to launch attacks that are capable of severely disrupting any web service.

Anyone could buy 50,000 bots for $4,600, and 100,000 bots for $7,500, which can be combined to overwhelm targets with data.

Hacker groups have long sold access to botnets as a DDoS weapon for hire – like the infamous Lizard Squad's DDoS attack tool Lizard Stresser – but those botnets largely comprised of compromised vulnerable routers, and not IoT devices like connected cameras, toasters, fridges and kettles (which are now available in bulk).

In a separate disclosure, a hacking group calling itself New World Hackers has also claimed responsibility for the Friday's DDoS attacks, though it is not confirmed yet.

New World Hackers is the same group that briefly knocked the BBC offline last year. The group claimed to be a hacktivist collective with members in China, Russia, and India.

Well, who is behind the Friday's cyber attack is still unclear. The US Department of Homeland Security (DHS) and the FBI are investigating the DDoS attacks hit DynDNS, but none of the agencies yet speculated on who might be behind them.

The DynDNS DDoS attack has already shown the danger of IoT-based botnets, alarming both IoT manufacturers to start caring about implementing security on their products, and end users to start caring about the basic safety of their connected devices.

With rapidly growing Internet of Thing (IoT) devices, they have become a much more attractive target for cybercriminals.

Just recently we saw a record-breaking Distributed Denial of Service (DDoS) attacks against the France-based hosting provider OVH that reached over one Terabit per second (1 Tbps), which was carried out via a botnet of infected IoT devices.

Now, such attacks are expected to grow more rapidly as someone has just released the source code for IoT botnet, which was 'apparently' used to carry out world's largest DDoS attacks.

Internet of Things-Botnet 'Mirai' Released Online

Dubbed Mirai, the malware is a DDoS Trojan that targets BusyBox systems, a collection of Unix utilities specifically designed for embedded devices like routers.

The malware is programmed to hijack connected IoT devices that are using the default usernames and passwords set by the factory before devices are first shipped to customers.

Spotted by Brian Krebs, the "Mirai" source code was released on Hackforums, a widely used hacker chat forum, on Friday.

However, there is no concrete evidence that this is the same botnet malware that was used to conduct record-breaking DDoS attacks on Krebs' or OVH hosting website.

Reportedly, the attack code has built-in scanners that look for vulnerable smart devices in homes and enroll them into a network of Botnet, that hackers and cyber criminals can then use in a DDoS attack to temporarily shut down any website.

The hacker, nicknamed "Anna-senpai," who released the Mirai source code said they have "made their money...so it's time to GTFO."

"So today, I have an amazing release for you," Anna-senpai wrote. "With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping."

Even after the above explanation, I am still wondering why the malware's author chose to dump the code online over making big money.

Beware: Don't Download It Or Use at your own risk!

I apologize, if you are looking for the download link. We came across hundreds of such malware and their source codes, but ethically we don’t prefer to promote them through our articles because that could indirectly advantage more blackhat hackers to cause further damages.

What if the source code contains any backdoor?

It is not at all surprising to believe so, as we have seen several cases in past years, when hackers have taken advantage of trending or hot events (or incidents), in this case record-breaking DDoS attack, to post and distribute their backdoored malware strategically.

Now that the malware is publicly released, anyone can download and use it to infect a large number of devices worldwide to create their own IoT botnet.

And if the code contains any backdoor, it would not only compromise the user who downloads it from the hacking forum but also hijacks those who are part of that user's botnet network.

Since manufacturers of IoT devices majorly focus on performance and usability and ignore security measures and encryption mechanisms, they are routinely being hacked and used as weapons in cyber attacks.

Just recently we reported about vulnerable D-Link routers that are programmed in such a way that they contain several backdoors, which allow attackers to remotely hijack and control them, as well as network, leaving all connected devices vulnerable to cyber attacks.

So, if you own one or more IoT devices, the first thing you need to do in order to protect yourself against cyber attacks is change those default credentials.

Due to the insecure implementation, these Internet-connected embedded devices, including Smart TVs, Refrigerators, Microwaves, Set-top boxes, Security Cameras and printers, are routinely being hacked and used as weapons in cyber attacks.

We have seen how hackers literally turned more than 100,000 Smart TVs and Refrigerator into the cyber weapon to send out millions of malicious spam emails for hacking campaigns; we have also seen how hackers abused printers and set-top-boxes to mine Bitcoins.

And now…

Cyber crooks are hacking CCTV cameras to form a massive botnet that can blow large websites off the Internet by launching Distributed Denial-of-service (DDoS) attacks.

Researchers at Security firm Sucuri came across a botnet of over 25,000 CCTV cameras targeting business around the globe while defending a small jewelry shop against a DDoS attack.

The jewelry shop website was flooded with almost 35,000 HTTP requests per second due to which its website was unreachable to legitimate users.

However, when Sucuri attempted to prevent the network flood by using a network addressing and routing system called Anycast, the botnet increased the number of HTTP requests on the store's website to more than 50,000 per second.

The attack researchers were talking about was a massive Layer 7 DDoS attack that overwhelmed Web servers, occupying their resources and crashing websites.

The DDoS attack continued for days, causing researchers curious about its origin. When they dug more, they discovered that the requests were coming from internet-connected CCTV cameras that had been remotely hijacked by cyber criminals to attack other services.

"It is not new that attackers have been using IoT devices to start their DDoS campaigns. However, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long," said Sucuri CTO Daniel Cid.

The IP addresses of CCTV boxes causing DDoS attack were coming from no fewer than 105 countries around the world. The Sucuri researchers noted a total of 25,513 unique IP addresses within few hours. Some of these addresses were IPv6.

This is not the first incident when hackers have hijacked CCTV cameras to launch DDoS attack against services. Late last year, Imperva's Incapsula team warned about a massive DDoS botnet of CCTV cameras running embedded versions of Linux and the BusyBox toolkit.

Since the Internet of Things is rapidly growing and changing the way we use technology, it drastically expands the attack surface, and when viewed from the vantage point of information security, IoT can be frightening.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

The world's most notorious financial hacking operation disrupted by Russian authorities in November, when they raided the offices associated with a Moscow-based film and production company named 25th Floor.

According to the Russian authorities, 25th Floor was allegedly involved in distributing the notorious password-stealing malware known as Dyre Banking Trojan.

Malware Costs Hundreds of $$$ Millions in Losses

The Dyre banking Trojan was typically distributed via spam campaigns and was responsible for over hundreds of millions of dollars in losses at banking and financial institutions, including Bank of America Corp, PayPal, and JPMorgan Chase & Co.

Dyre, also known as Dyreza, first appeared in July 2014 and updated to target Windows 10 systems and its newest Edge browser.

However, Dyre has not been in use since the November raid, according to cyber security experts, who said the raid represents Russia's biggest effort up to date in cracking down on cyber crime.

It is yet not known whether the Russian authorities anyone has arrested or charged anyone linked to the raid.

However, the sources familiar with the matter told Reuters that the Dyre investigation was aided by security firm Kaspersky Lab that would reveal details about the case at its annual conference for security experts starting Sunday.

The malware authors used a variety of techniques to deliver Dyre malware onto victim's web browser in an effort to alter the communication between customers and over 400 financial institutions.

They Producing Cyber-Crime Thriller Movie — BOTNET

The name came out from the November raid: 25th Floor that distributes movies and Television shows in Russia and other East European and near-east countries.

The company is currently busy in the production of a film called BOTNET – a cyber crime thriller based on a 2010 case in which 37 people from the United States and other countries were charged for a $3 Million scam.

25th Floor hired Moscow-based computer security company Group-IB to advise the Botnet director and writers on the detailed aspects of cybercrime, said Group-IB CEO Ilya Sachkov. He said he was initially approached by Nikolay Volchkov, the CEO of 25th Floor.

Then Sachkov got an urgent call from Volchkov last November, saying he needed to meet.

The arrests came as part of the joint operation between Norway’s Kripos National Criminal Investigation Service and Europol, codenamed "OP Falling sTAR."

According to the United States security firm, all the five men, aged between 16 and 24 years and located in Romania, France, and Norway, were charged with possessing, using and selling malware.

One of those arrested also confessed to running his own web store where he sold malware, designed to take full control of target computers, harvesting passwords, and other personal data.

Moreover, the malware can be used to hijack webcams in real-time, and steal documents, images, and videos as well.

"Damballa's threat discovery center worked in cooperation with the Norway police over the last few months to track and identify the author of the malware dubbed MegalodonHTTP," threat researcher Loucif Kharouni wrote in a blog post.

"We are not at liberty to divulge the MegalodonHTTP author’s real identity, but we can confirm that the person behind the handle Bin4ry is no longer active or doing business."

However, the researchers said MegalodonHTTP was not very powerful; in fact, it was "quite simple" and indicated the poor coding skills of its author, requiring .NET to be installed on infected systems.

MegalodonHTTP Remote Access Trojan

MegalodonHTTP included a number of features as listed below:

Binary downloading and executing

Distributed Denial of service (DDoS) attack methods

Remote shell

Antivirus Disabling

Crypto miner for Bitcoin, Litecoin, Omnicoin and Dogecoin

However, MegalodonHTTP is not an advanced malware, according to the researchers, and its author wanted to develop modular malware with a number of malicious features, but remained "as small as possible, around 20Kb."

This malware was sold on amateur hacker hangout HackForum as well as on the bin4ry[dot]com website. In fact, before his arrest last month, the hacker was still selling the malware.

Just last week, Europol in cooperation with Romanian law enforcement authorities arrested eight criminal hackers suspected of being part of an international criminal gang that pilfered cash from ATMs using malware.

The distributed denial-of-service network, dubbed XOR DDoS Botnet, targets over 20 websites per day, according to an advisory published by content delivery firm Akamai Technologies.

Over 90 percent of the XOR DDoS targets are located in Asia, and the most frequent targets are the gaming sector and educational institutions.

XOR creator is supposed to be from China, citing the fact that the IP addresses of all Command and Control (C&C) servers of XOR are located in Asia, where most of the infected Linux machines also reside.

How XOR DDoS Botnet infects Linux System?

Unlike other DDoS botnets, the XOR DDoS botnet infects Linux machines via embedded devices such as network routers and then brute forces a machine's SSH service to gain root access to targeted machines.

Once the attackers have acquired Secure Shell credentials and logged in, they use root privileges to run a simple shell script that secretly downloads and installs the malicious XOR botnet software.

However, there is no such evidence that XOR DDoS infects computers by exploiting flaws in the Linux operating system itself.

A High-Bandwidth DDoS Attack

Akamai's Security Intelligence Response Team (SIRT) has seen DDoS attacks – SYN and DNS floods as the observed attack vectors – with the bandwidth ranging from a few gigabits per second (Gbps) to nearly 179 Gbps.

The upper figure is a massive DDoS attack volume that even most multinational corporate networks can not handle. However, the biggest recordedDDoS attacks have hit 400 Gbps.

"Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch [massive] DDoS attacks,"Stuart Scholly, senior vice president of Akamai's Security Business Unit, said in a statement.

Scholly further added that attackers are switching their focus from Windows botnets and building Linux botnets to launch massive DDoS attacks. However in the past, Windows machines were their primary targets for DDoS malware.

How to Detect and Mitigate XOR DDoS Botnet?

Akamai's advisory outlines two different methods for detecting the recent version of the XOR malware.

To Detect XOR DDoS Botnet in your Network, look for the communications between a bot and its C&C server, using the Snort rule given in the advisory.

To Detect XOR DDoS Botnet infection on your Hosts, use the YARA rule also shown in the advisory.

Moreover, Akamai also provides a four-step process for removing the XOR DDoS Trojan from your machine, as given below:

First, identify the malicious files in two directories (/boot and /etc/init.d)

Identify the supporting processes responsible for the persistence of the main process

Kill the malicious processes

Delete the malicious files (in /boot and /etc/init.d)

Additionally, disabling system root login from SSH (Secure Shell), or using a strong password will also defeat this issue.

The US State Department and the Federal Bureau of Investigation are willing to pay a total $4.2 Million for information leading to the arrest and/or conviction of top 5 most wanted cyber criminals accused of conducting frauds of hundreds of millions of dollars.

Evgeniy Mikhailovich Bogachev, also known under the aliases "lucky12345," "Slavik," and "Pollingsoon," is the mastermind behind the GameOver Zeus botnet, which was allegedly used by criminals to infect more than 1 Million computers, resulting in up to $100 Million in losses since 2009.

Besides GameOver Zeus botnet, Bogachev is also accused of developing CryptoLocker Ransomware, which was designed to extort money from computer victims by holding their system’s files hostage until the victim pays a ransom fee to get them back.

Bogachev tops the FBI target's list with $3 Million in reward for anyone giving the information leading to his direct arrest and/or conviction.

This 34-year-old Romanian is accused of fooling innocent Americans with fake auction posts on several websites, including eBay, Cars.com, and AutoTrader.com, claiming to sell cars that just didn't exist.

Popescu and other criminal hackers affiliated with the scheme made more than $3 Million off the auctions, victimizing almost 800 users who handed over money for imaginary cars, Rolex watches, yachts, private airplanes, and other luxury goods.

Authorities tracked down and arrested six members of the cyber gang in late 2012, but Popescu and a partner slipped away.

3. Alexsey Belan | Reward - $100,000

Alexsey Belan, a Russian national, is wanted for allegedly stealing consumer data by compromising the cyber security systems of three unnamed major US-based e-commerce sites in Nevada and California between 2012 and 2013.

After stealing and exporting user databases with passwords to his server, Belan is accused of allegedly negotiating the sales of the databases.

4. Peteris Sahurovs | Reward - $50,000

Peteris Sahurovs is accused of developing and selling a computer virus through advertisements on news website pages. He allegedly carried out the scheme from February 2010 to September 2010.

Under the malicious scheme, the fake ads displayed on the web pages forced users to purchase fraudulent antivirus software.

In case, a user refuse to buy the software, the victim’s desktop would be flooded with pop-ups and fake security alerts.

Sahurovs, a native of Latvia, made more than $2 Million by selling his "antivirus" software.

5. Shailesh Kumar Jain | Reward - $50,000

Shailesh Kumar Jain is the only American citizen on the FBI’s Most Wanted Hackers list.

Jain made $100 Million between December 2006 and October 2008, according to the FBI. He used a flood of pop-up ads and email scamming to convince users that their computers were infected with a virus and then selling them the bogus AV software packages for between $30 and $70.

U.S. and European law enforcement agencies have shut down a highly sophisticated piece of the botnet that had infected more than 12,000 computers worldwide, allowing hackers to steal victims’ banking information and other sensitive data.

The law enforcement agencies from the United States, United Kingdom and the European Union conducted a joint operation to get rid of the botnet across the globe and seized the command-and-control server that had been used to operate the nasty Beebone (also known as AAEH) botnet.

What’s a Botnet?

A botnet is a network of large number of computers compromised with malicious software and controlled surreptitiously by hackers without the knowledge of victims.

Basically, a "botnet" is a hacker’s "robot" that does the malicious work directed by hackers.

Hackers and Cyber Criminals have brushed up their hacking skills and started using Botnets as a cyber weapon to carry out multiple crimes such as DDoS attacks (distributed denial of service), mass spamming, advertising revenue manipulation, cyber espionage, mining bitcoins, surveillance etc.

However, this is not first time we hear about a sophisticated botnet took down by law enforcement agencies.

Just two months ago, law Enforcement took down Ramnit botnet, which infected over 3.2 Million computers worldwide, and last year the FBI and Europol torn down the GameOver Zeus botnet, although it came back a month after its took down.

So, What’s new about Beebone Botnet?

Beebone botnet is a downloader software (kind of botnet downloader) that installs other forms of malicious software, including ransomware and rootkits, onto victims' machines without their even consent.

The size of the network it infected was not significant, but the operators managed to maintain control of the infected machines over the years by making Beebone botnet polymorphic in nature, so that it can update itself in order to avoid antivirus detection.

Here’s the Kicker:

Beebone botnet updates itself as many as 19 times a day which makes the malware slightly different threat from all the existing botnets as well as prevent botnet detection.

Once infected, the machines was ordered to "distribute malicious software, harvest users' credentials for online services, including banking services, and extort money from users by encrypting key files and then demanding payment in order to return the data to a readable state," the US Computer Emergency Response Team (US-CERT) said.

5 MILLION UNIQUE SAMPLES OF BEEBONE IN THE WILD

Initial figures show:

Beebone has infected over 12,000 computers, which seems to be a tiny number compared to other Zeus botnet infection in the past that infected millions of computers across the world.

However, it is believed that there are many more to come. According to Europol, currently there are more than 5 Million unique samples of Beebone botnet in the wild, with over 205,000 samples taken from a total of 23,000 computer systems between 2013 and 2014.

BEEBONE INFECTION WORLDWIDE

The footprint of Beebone botnet is worldwide:

Beebone infections spread across more than 195 countries. Most of the infections are reported in the United States, followed by Japan, India, and Taiwan, said Europol's Deputy Director of Operations, Wil van Gemert.

What’s the best part?

The Federal Bureau of Investigation (FBI) is currently working with other U.S. law enforcement agencies and Europol's European Cybercrime Centre (EC3), the Dutch National High Tech Crime Unit and the Joint Cybercrime Action Taskforce in order to combat Beebone.

Why Botnets re-emerged after took down?

The main reason, according to me, is that the author of the botnet did not get arrested.

It really doesn't matter how many domains the law enforcement took down or how many sinkholes security researchers create if the attackers not arrested…

...nobody can stop criminals from building new Botnet from zero.

Thus, I really appreciate the FBI effort to weed out GameOver Zeus botnet by announcing a reward of $3 Million for the information leading to the direct arrest or conviction of Evgeniy Mikhailovich Bogachev -- The alleged author of GameOver Zeus botnet that stole more than $100 Million from bank accounts.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

It seems like the world has declared war against the Cyber Criminals. In a recent update, we reported that FBI is offering $3 Million in Reward for the arrest of GameOver Zeus botnet mastermind, and meanwhile British cyber-police has taken down widely-spread RAMNIT botnet.

The National Crime Agency (NCA) in a joint operation with Europol's European Cybercrime Centre (EC3) and law enforcement agencies from Germany, Italy, the Netherlands, and the United Kingdom has taken down the Ramnit "botnet", which has infected over 3.2 million computers worldwide, including 33,000 in the UK.

Alike GameOver Zeus, RAMNIT is also a 'botnet' - a network of zombie computers which operate under criminal control for malicious purposes like spreading viruses, sending out spam containing malicious links, and carrying out distributed denial of service attacks (DDoS) in order to bring down target websites.

RAMNIT believes to spread malware via trustworthy links sent through phishing emails or social networking sites, and mainly target people running Windows operating systems in order to steal money from victims bank accounts. Moreover, public FTP servers have also been found distributing the malware.

Once installed, the infected computer comes under the control of the botnet operators. The module inadvertently downloads a virus onto the victim’s computer which could be used by operators to access personal or banking information, steal passwords and disable anti-virus protection.

RAMNIT SHUT-DOWN IN AN OPERATION

In a statement on Tuesday, Europol revealed that the successful take-down of Ramnit botnet involved the help of Microsoft, Symantec and AnubisNetworks. The groups shut down the botnet's command and control infrastructure and redirected traffic from a total of 300 domain addresses used by Ramnit criminal operators.

"This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime," said Wil van Gemart, Europol's deputy director of operations. "We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes."

NASTY FEATURES OF RAMNIT BOTNET

Symantec says that Ramnit has been around for over four years, first originating as a computer worm. According to the anti-virus firm, Ramnit is a "fully-featured cybercrime tool, featuring six standard modules that provide attackers with multiple ways to compromise a victim." The features are:

SPY MODULE - This is one of the most powerful Ramnit features, as it monitors the victim’s web browsing and detects when they visit online banking sites. It can also inject itself into the victim’s browser and manipulate the bank’s website in such a way that it appears legitimate and easily grab victim’s credit card details.

COOKIE GRABBER - This steals session cookies from web browsers and send them back to the Ramnit operators, who can then use the cookies to authenticate themselves on websites and impersonate the victim. This could allow an attacker to hijack online banking sessions.

DRIVE SCANNER - This scans the computer’s hard drive and steals files from it. The scanner is configured in such a way that it searches for specific folders which contain sensitive information such as victims’ passwords.

ANONYMOUS FTP SERVER - By connecting to this server, the malware lets attackers remotely access the infected computers and browse the file system. The server can be used to upload, download, or delete files and execute commands.

VIRTUAL NETWORK COMPUTING (VNC) MODULE - This feature provides the attackers with another means to gain remote access to the compromised computers.

FTP GRABBER - This feature allows the attackers to gather login credentials for a large number of FTP clients.

WHY BOTNET RE-EMERGE AFTER TAKEDOWNS ?

According to the authorities, Ramnit botnet has been taken down, but is it guaranteed that the botnet will not re-emerged again? We have seen the took down of GameOver Zeus botnet by FBI and Europol as well, but what happened at last? Just after a month, GameOver Zeus botnet again came into operation with more nasty features.

So, What went wrong? Why Botnet take downs are ineffective? One reason could be that the organisations grab and take-down only a small fraction of command-and-control domains that build up the Botnet critical infrastructure, but leaves a majority of fraction active. This takes some months for a botnet operator to recover.

As more and more botnet networks are taken down by Law Enforcement, cyber criminals are increasingly using secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA).

One of the main reasons that the Botnet re-emerged is because the author of the malware didn’t get arrested. No matter how many domains are taken down or how many sinkholes researchers create, if the attackers are not arrested, nobody can stop them from building new Botnet from zero.

On this we really appreciate the FBI step to reward $3 Million for the information leading to the direct arrest or conviction of Evgeniy Mikhailovich Bogachev, the alleged author of GameOver Zeus botnet that was used by cybercriminals to steal more than $100 Million from online bank accounts.

The US State Department and the Federal Bureau of Investigation announced Tuesday a $3 Million reward for the information leading to the direct arrest or conviction of Evgeniy Mikhailovich Bogachev, one of the most wanted hacking suspects accused of stealing hundreds of millions of dollars with his malware.

This is the highest bounty U.S. authorities have ever offered in any cyber case in its history. The 30-year-old Russian man who, according to bureau, is an alleged leader of a cyber criminal group who developed the GameOver Zeus botnet.

STOLE MORE THAN $100 MILLION

Evgeniy Mikhailovich Bogachev, also known under the aliases "lucky12345," "Slavik," and "Pollingsoon," was the mastermind behind the GameOver Zeus botnet, which was allegedly used by cybercriminals to infect more than 1 Million computers and resulted in more than $100 Million in losses since 2011.

GameOver Zeus makes fraudulent transactions from online bank accounts once installed in a target system with the capability to conduct Distributed Denial of Service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site.

SAME MASTERMIND BEHIND CRYPTOLOCKER

Not just GameOver Zeus botnet, the alleged suspect is also accused of masterminding the CryptoLocker Ransomware, which is designed to extort money from computer users by holding computer files hostage until the computer user pays a ransom fee to get them back.

CryptoLocker encrypts victims' hard drives with strong AES-256-bit encryption before it demands money. The ransomware was widely distributed on the Gameover ZeuS botnet and, as a result, has infected hundreds and thousands of computers.

Gameover ZeuS botnet was disrupted by the feds last year but remains operational. "Although we were able to significantly disrupt the Gameover ZeuS and Cryptolocker criminal enterprise, we have not yet brought Bogachev himself to justice," Assistant Attorney General Leslie Caldwell said in a statement.

MOST WANTED CRIMINAL

Joseph Demarest Jr., assistant director of the FBI's cyber division, described Bogachev as both "one of the world's worst'' and "brilliant at what he did.'' The authorities charged Bogachev with conspiracy, computer hacking, wire fraud, bank fraud and money laundering under a 14-count indictment last year.

"We are turning to the world again for assistance in locating Bogachev," said FBI assistant director Joseph Demarest. "While he is known to reside in Russia, he may travel. With this $3 million reward incentive, someone, somewhere may see him and let the authorities know his whereabouts."

CALL FBI TO BE REWARDED IN $3 MILLION

In appearance, Bogachev is 5'9" tall, weighs around 180lbs, with brown eyes and brown hair. Last time he was seen in the Russian seaside resort of Anapa. He is believed to be still in Russia, although "he may travel," according to authorities.

Bogachev is on the FBI’s Most Wanted cyber list. Anyone spotting him and wishing to be rewarded by the Federal Bureau of Investigation can call the feds at 1-800-225-5324, or can do the same online by visiting tips.fbi.gov.

According to a survey of traffic conducted in September by researchers at Dr. Web, over 17,000 Macs globally are part of the Mac.BackDoor.iWormbotnet, which creates a backdoor on machines running OS X. Researchers say almost a quarter of iWorm botnet are located in the US.

The most interesting thing to notice about this botnet is that it uses a special method of spreading via a search service of Reddit posts to a Minecraft server list subreddit to collect the IP addresses for its command and control (CnC) network. The user who had posted that subreddit data has now been shut down though the malware creators are likely to form another server list.

"It is worth mentioning that in order to acquire a control server address list, the bot uses the search service at reddit.com, and – as a search query – specifies hexadecimal values of the first 8 bytes of the MD5 hash of the current date," the Russian company said in a statement on its website.

"The reddit.com search returns a web page containing a list of botnet C&C servers and ports published by criminals in comments to the post minecraftserverlists under the account vtnhiaovyd."

Though the researchers did not mention how Mac.BackDoor.iWorm spreads, but they shared that the "dropper" program of the malware allows it to be installed in the Library directory within the affected user’s account home folder, disguised as an Application Support directory for "JavaW" and sets itself to autostart.

Once a Mac has been infected, the software establishes a connection with the command and control server. The backdoor on the user's system can be used to receive instructions in order to perform a variety of tasks, from stealing sensitive information to receiving or spreading other malicious software. It could also change configuration or put a Mac to sleep.

"Criminals developed this malware using C++ and Lua. It should also be noted that the backdoor makes extensive use of encryption in its routines. During installation it is extracted into /Library/Application Support/JavaW, after which the dropper generates a p-list file so that the backdoor is launched automatically," the company added.

The Mac.BackDoor.iWorm is likely to send spam emails, flood websites with traffic, or mine bitcoins. Most of the compromised machines are located in the US, Canada ranked second, with 1,235 comprised addresses, followed by the United Kingdom with 1,227 addresses and the rest is in Europe, Australia, the Russian Federation, Brazil and Mexico.

Researchers on Thursday discovered a critical remotely exploitable vulnerability in the widely used command-line shell GNU Bourne Again Shell (Bash), dubbed "Shellshock" which affects most of the Linux distributions and servers worldwide, and may already have been exploited in the wild to take over Web servers as part of a botnet that is currently trying to infect other servers as well.

BOTNET ATTACK IN THE WILD

The bot was discovered by the security researcher with the Twitter handle @yinettesys, who reported it on Github and said it appeared to be remotely controlled by miscreants, which indicates that the vulnerability is already being used maliciously by the hackers.

The vulnerability (CVE-2014-6271), which came to light on Wednesday, affects versions 1.14 through 4.3 of GNU Bash and could become a dangerous threat to Linux/Unix and Apple users if the patches to BASH are not applied to the operating systems.

However, the patches for the vulnerability were released but there was some concern that the initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry. There is as of yet no official patch that completely addresses both vulnerabilities, including the second, which allows an attacker to overwrite files on the targeted system.

SHELLSHOCK vs THE INTERNET

Robert Graham of Errata Security observed that the major internet scan is already being used by the cyber criminals in order to locate vulnerable servers for cyber attack. During a scan, Graham found about 3,000 servers that were vulnerable "just on port 80" — the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests.

The Internet scan broke after a short while, which means that there could be a wide numbers of other servers vulnerable to the attack.

"It's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi)," Graham wrote in a blog post. "Getting just the root page is the thing least likely to be vulnerable. Spidering the site and testing well-known CGI scripts (like the CPanel one) would give a lot more results—at least 10x."

In addition, Graham said, "this thing is clearly wormable and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable—once the worm gets behind a firewall and runs a hostile DHCP server, that would be 'game over' for large networks."

32 ORACLE PRODUCTS VULNERABLE
Oracle has also confirmed that over 32 of its products are affected by the "Shellshock" vulnerability including some expensive integrated hardware systems of the company. The company warned its users to wait a bit longer for the complete patch, by issuing a security alert regarding the Bash bug on Friday.

"Oracle is still investigating this issue and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against the vulnerability," the company said.

PATCH ISSUED, BUT INCOMPLETE
Patches were released from most of the Linux distributions, but Red Hat has updated an advisory warning that the patch is incomplete, the same issue that was also raised by infosec community on Twitter.

"Red Hat has become aware that the patches shipped for this issue are incomplete," said Red Hat security engineer Huzaifa Sidhpurwala. "An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions The new issue has been assigned CVE-2014-7169."

Although people are urged to apply the released patch to thwart most attacks on the affected systems, another patch is expected to release as soon as possible.

A New York-based online ad network company AppNexus, that provides a platform specializing in real-time online advertising, has again been spotted as the origin of a recent "malvertising" campaign that makes use of the Angler Exploit Kit to redirect visitors to malicious websites hosting the Asprox malware.

AppNexus servers process 16 billion ad buys per day, making it the biggest reach on the open web after Google. Back in May, AppNexus was serving malicious ads targeting Microsoft’s Silverlight platform. The world’s largest Internet Video Subscription service Netflix runs on Silverlight, and because of its popularity, hackers have been loading exploit kits with Silverlight.

As part of this campaign, users of several high-profile websites including Java.com, Deviantart.com, TMZ.com, Photobucket.com, IBTimes.com, eBay.ie, Kapaza.be and TVgids.nl, last week were redirected to websites serving malicious advertisements that infected visitors by installing botnet malware on their computer, said security company Fox-IT.

“These websites have not been compromised themselves, but are the victim of malvertising. This means an advertisement provider, providing its services to a small part of a website, serves malicious advertisement aimed at infecting visitors with malware,” researchers at Fox-IT said in a blog post.

Angler exploit kits are available on the underground black forums and are used in various malicious campaigns to own websites and redirect users off to websites hosting banking malware and other types of malicious code in order to victimize them.

“Please note, a visitor does not need to click on the malicious advertisements in order to get infected. This all happens silently in the background as the ad is loaded by the user’s browser,” researchers warned.

According to the Researchers, Angler first checks whether the victim’s browser supports an outdated versions of Java, Adobe Flash Player or Microsoft Silverlight, and then silently install a variant of the Asprox botnet malware.

Asprox is generally a spam botnet that was involved in multiple high-profile attacks on various websites in order to spread malware. The malware recently has been modified for click-fraud and cyber criminals are using it to spread malware through email attachments with exploit kits. It also has other malicious functionality including scanning websites for vulnerabilities and stealing log-in credentials stored on computers.

“Asprox has gone through many changes and modifications which includes spam modules, website scanning modules and even credential stealing modules,” Fox-IT said. “This history and current events show Asprox is still actively being developed and used.”

Once visited on a site hosting the malicious ad, users are redirected in the background to ads[.]femmotion[.]com, which then redirects to the exploit kit on a number of other domains, the gloriousdead[.]com and taggingapp[.]com.

“All the exploit kit hosts were observed using port 37702. Running exploit kits on high ports at best prevents certain network tools from logging the HTTP connections, as these are typically configured to monitor only HTTP ports,” Fox-IT said. “It does mean this exploit kit is blocked on a lot of corporate networks as they do not allow for browsing outside the normal HTTP ports, port 80 (or proxy ports) and 443 for SSL.”

In order to show targeted advertisements to users, advertisers engage in an automatic, real-time bidding process, which makes malicious advertisements more difficult to track. “In the case of this malvertising campaign the malicious advertisers were the highest bidders,” Fox-IT says.

Hackers used a method called “retargeting”, which is actually used by Digital Advertising agencies to rotate the ads shown to the same visitor when they access a specific page multiple times.

“The way it works is that a user with an interesting set of tracking cookies and other metadata for a certain adprovider is retargetted from the original advertisement content on the website to the modified or personalized data,” Fox-IT researchers said. “We have seen examples where the website that helped with the ad redirect to infect a user had no idea it was helping the delivery of certain content for a certain ad provider.”

Botnets - a secretly compromised networks of ordinary home and office computers with rogue software or "malware" that are controlled by an individual criminal or a group - has dramatically increased over the past several years and are considered to pose the biggest threat to the Internet.

Cyber criminals have brushed-up their hacking skills and are using Botnets as a cyber weapon to carry out multiple crimes like DDoS attacks (distributed denial of service), mass spamming, page rank and advertising revenue manipulation, mining bitcoins, cyber espionage and surveillance etc.

18 BOTNET INFECTIONS PER SECOND

According to the director of FBI’s cyber division, Joseph Demarest, Botnet has become one of the biggest enemies of the Internet today, and therefore its impact has been significant. Yesterday during a hearing before a U.S. Senate committee, he says that every second 18 computers worldwide are part of botnet armies, which amounts to over 500 million compromised computers per year.

The network of compromised systems can do a drastic cyber crime activities without the knowledge of their computer’s owner. Botnet allows its operator to steal personal and financial information, get into system owners’ bank accounts, steal millions of credit cards, shut down websites, monitor your every keystroke and can even activate systems’ cameras secretly which can take users’ at great risk.

On Tuesday, a U.S. Senate committee assembled to discuss the progress of FBI agency’s current and future anti-cyber crime strategy to disrupt Botnets, with agenda: “Taking Down Botnets: Public and Private Efforts to Disrupt and dismantle Cyber Criminal Networks.”

BOTNET FETCHED MILLIONS OF DOLLARS

Joseph Demarest said the news is troubling as the botnets' high infection rate costs the US and global economies billions of dollars. Several successes "But our work is never done," noted the FBI chief.

"The use of botnets is on the rise. Industry experts estimate that botnet attacks have resulted in the overall loss of millions of dollars from financial institutions and other major US businesses," Demarest said.

"As you well know, we face cyber threats from state-sponsored hackers, hackers for hire, organized cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas—things of incredible value to all of us.”

TWO FACES OF THE SAME GOVERNMENT - FBI & NSA

FBI trying to take down cyber criminals and putting its all effort to shut down botnet networks - which really sounds cool! But could you answer me that ‘How NSA is conducting its wider spread mass surveillance program..??’ Yes, of course, with the use of similar exploits and botnet malware. It was revealed few months ago from the Edward Snowden leaks that NSA is taking over entire networks of already-hacked machines (Botnets) and using them for their own purposes.

Also at the end of last year, Dutch newspaper NRC Handelsblad reported that the document leaked by Snowden also revealed that NSA had established an army of "sleeper cells" – malware-infected, remote-controllable computers – on 50,000 networks by the middle of 2012, which waits for months or longer before it activates by the agency and begins harvesting data.

So, when one side of U.S. government is trying every effort to shut down the widely spread botnet networks and at the same time, the other side of government is building up their weapons with the use of similar malwares and botnets, it is difficult to mitigate the problem and, this unbalanced situation of the Internet is the main cause of terror in the digital world.

Well, botnets, malware, viruses, worms and other cyber threats are really a big issue for all of us, and also these attacks become more sophisticated and wider when become money motivated.

We also appreciate U.S. government efforts to combat cyber crimes. A month ago, FBI and Europol also took down the GameOver Zeus botnet that have stolen more than $100 million from banks, businesses and consumers worldwide.

A month after the FBI and Europol took down the GameOver Zeus botnet by seizing servers and disrupting the botnet’s operation, security researchers have unearthed a new variant of malware based explicitly on the same Gameover ZeuS that compromised users’ computers and collectively formed a massive botnet.

GAMEOVER ZEUS TROJAN

The massive botnet, essentially a collection of zombie computers, specifically was designed to steal banking passwords with the capability to perform Denial of Service (DoS) attacks on banks and other financial institutions in order to deny legitimate users access to the site, so that the thefts kept hidden from the users.

As a result of it, Gameover ZeuS’ developers have stolen more than $100 million from banks, businesses and consumers worldwide.

NEW GAMEOVER ZEUS TROJAN

On Thursday, security researchers at the security firm Malcovery came across a series of new spam campaigns that were distributing a piece of malware based on the Gameover Zeus code which is being distributed as an attachment to spam emails, masquerading as legitimate emails from financial institutions, including M&T Bank and NatWest.

"Today Malcovery's analysts identified a new trojan based heavily on the Gameover Zeus binary, the firm's blog post read. "It was distributed as the attachment to three spam email templates, utilizing the simplest method of infection through which this trojan is deployed."

ATTACK VECTOR

Malcovery has published a full disclosure and complete rundown of the botnet, which shows that all the malicious emails it sends to lure users contain a zip file with a .scr attachment inside. Once opened, the file uses to hack into zombie computers, and the threat is danger as many anti-virus solutions were not able to detect the malicious software.

“Once the attachment was opened and the malware payload executed, the malware began to make attempts to contact certain websites in accordance with a Domain Generation Algorithm (DGA). The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing,” the analysis of the malware by Brendan Griffin and Gary Warner of Malcovery says.

“Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information ‘webinject’ files from the server.”

This new Gameover Zeus botnet has a more robust implementation that makes it even more difficult to combat than the previous one.

As Malcovery writes, “this discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.”

STATEMENT BY DEPARTMENT OF JUSTICE

On Friday, the Department of Justice released a statement saying that this new Gameover Zeus botnet was not linked with the botnet that it previously targeted.

“The Justice Department reported that all or nearly all of the active computers infected with Gameover Zeus have been liberated from the criminals’ control and are now communicating exclusively with the substitute server established pursuant to court order,” the agency said.

“The Justice Department also reported that traffic data from the substitute server shows that remediation efforts by Internet service providers and victims have reduced the number of computers infected with Gameover Zeus by 31 percent since the disruption commenced.”